A blog post by mobile security firm Zimperium revealed that Android researcher Joshua Drake discovered the “Mother of all Android Vulnerabilities.” Named Stagefright, for the Android media playback engine where it originates, impacts an estimated 95% of Android devices and doesn’t require any interaction from the victim. “If you ever heard about the ‘Heartbleed,’” the firm notes, “this is much worse.”
They explain, “Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart. Named Stagefright, it is a media library that processes several popular media formats.” As Lucian Constantin explains at PC World, the Stagefright library is not only used for media playback, but also to automatically generate thumbnails, and to extract metadata like length, height, width, frame rate, channels, etc., from video and audio files.
Drake “dived into the deepest corners of Android code” and found “multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.” Attackers only need your phone number to target you by sending a media file delivered by MMS. As Aarti Shahani reports for NPR, essentially, the hacker creates a short video file, hides the malware inside, and texts it to your number.
How quickly the exploit is completed depends on which messaging app you’ve set as your default. Hangouts instantly processes videos, inviting the malware right in. As soon as the message is received by your phone, Drake explains, “it does its initial processing, which triggers the vulnerability.” If you’re using the standard Messenger app, Drake says the exploit is “a tiny bit less dangerous,” since you have to view the text message before your phone processes the attachment. Drake notes that in either case, “it does not require in either case for the targeted user to have to play back the media at all.” In fact, you may only see the notification, as a “fully weaponized successful attack” could even delete the message before you have a chance to see it.
In the worst case scenario, the researchers explain, “this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.” Once the exploit is completed, and depending on the depth of permissions that Stagefright is granted, the hacker could remotely operate your phone’s microphone, take over your camera, steal your files, read your emails, and access your data.
Android devices using version 2.2 and newer are vulnerable, and devices running versions prior to Jelly Bean are at the worst risk due to “inadequate exploit mitigations.” Zimperium reported the vulnerability to Google and also submitted patches, which Google applied within 48 hours. However, for the vulnerability to be actually fixed on a user’s device, he or she needs to download a firmware update — which takes a long time to reach users. Owners of devices older than 18 months will likely never receive an update. “If you’re an end user or enterprise, contact your device manufacturer and/or carrier to ascertain whether or not your particular device has been updated the requisite patches,” Zimperium recommends.
As Tom Simonite reports for MIT’s Technology Review, Google compromised the security of the Android operating system from the beginning by giving up the ability to push out crucial security patches, like one that can fix this vulnerability for the estimated 950 million devices affected. The problem isn’t that Android has security holes, since all software does. The problem is that Google doesn’t have an effective way to fix Android’s flaws.
Google can’t send you an update for Android, since device manufacturers and even wireless carriers make changes and complete their own testing on a release before it gets to you. And as Simonite notes, those companies seem to prioritize their own businesses and their independence from Google over the security of the phones that they’ve already sold. Google does have some requirements for the companies that use Android, but it doesn’t require security updates, even critical ones, to be deployed quickly.
This state of affairs leaves users unable to take advantage of what Google’s own security researchers recently named as the most important tactic to stay safe: installing software updates. Simonite reports that Google has come up with some workarounds for Android’s flawed security, including integrating many key functions to apps, which it can update directly through the app store. But there’s still no way for the company to signal whether an app update’s purpose is to patch a flaw or simply to add new features, and the Stagefright vulnerability can’t be fully fixed simply by updating apps.
It’s likely that most vulnerable phones won’t ever get an update containing the security patches that Google has offered to device manufacturers and wireless carriers. Drake estimates that between 20 and 50% of devices will be offered such an update, based on his past experience with Android updates. Zimperium’s researchers write, “We hope that members of the Android ecosystem will recognize the severity of these issues and take immediate action. In addition to fixing these individual issues, we hope they will also fix any business processes that prevent or slow the uptake of such fixes.”